diff --git a/apps/builder/libs/google-sheets.ts b/apps/builder/libs/google-sheets.ts index 40fd43cdb..b46051135 100644 --- a/apps/builder/libs/google-sheets.ts +++ b/apps/builder/libs/google-sheets.ts @@ -13,9 +13,11 @@ export const oauth2Client = new OAuth2Client( export const getAuthenticatedGoogleClient = async ( userId: string, credentialsId: string -): Promise => { - const credentials = (await prisma.credentials.findUnique({ - where: { id: credentialsId }, +): Promise< + { client: OAuth2Client; credentials: CredentialsFromDb } | undefined +> => { + const credentials = (await prisma.credentials.findFirst({ + where: { id: credentialsId, ownerId: userId }, })) as CredentialsFromDb | undefined if (!credentials || credentials.ownerId !== userId) return const data = decrypt( @@ -25,7 +27,7 @@ export const getAuthenticatedGoogleClient = async ( oauth2Client.setCredentials(data) oauth2Client.on('tokens', updateTokens(credentialsId, data)) - return oauth2Client + return { client: oauth2Client, credentials } } const updateTokens = diff --git a/apps/builder/mocks/index.ts b/apps/builder/mocks/index.ts index f0c46097b..7c955ebdc 100644 --- a/apps/builder/mocks/index.ts +++ b/apps/builder/mocks/index.ts @@ -6,7 +6,7 @@ const handlers = () => [ const authenticatedUser = JSON.parse( typeof localStorage !== 'undefined' ? (localStorage.getItem('authenticatedUser') as string) - : '{"id":"proUser","name":"John Smith","email":"john@smith.com","emailVerified":null,"image":"https://avatars.githubusercontent.com/u/16015833?v=4","plan":"PRO","stripeId":null}' + : '{"id":"proUser","name":"Pro user","email":"pro-user@email.com","emailVerified":null,"image":"https://avatars.githubusercontent.com/u/16015833?v=4","plan":"PRO","stripeId":null}' ) return res( ctx.json({ diff --git a/apps/builder/pages/api/integrations/google-sheets/spreadsheets.ts b/apps/builder/pages/api/integrations/google-sheets/spreadsheets.ts index 6685914c6..eccc20018 100644 --- a/apps/builder/pages/api/integrations/google-sheets/spreadsheets.ts +++ b/apps/builder/pages/api/integrations/google-sheets/spreadsheets.ts @@ -1,8 +1,13 @@ import { NextApiRequest, NextApiResponse } from 'next' import { drive } from '@googleapis/drive' import { getAuthenticatedGoogleClient } from 'libs/google-sheets' -import { badRequest, methodNotAllowed, notAuthenticated } from 'utils' -import { setUser, withSentry } from '@sentry/nextjs' +import { + badRequest, + forbidden, + methodNotAllowed, + notAuthenticated, +} from 'utils' +import { captureException, setUser, withSentry } from '@sentry/nextjs' import { getAuthenticatedUser } from 'services/api/utils' const handler = async (req: NextApiRequest, res: NextApiResponse) => { @@ -16,9 +21,18 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => { const auth = await getAuthenticatedGoogleClient(user.id, credentialsId) if (!auth) return res.status(404).send("Couldn't find credentials in database") + console.log(auth.credentials.name, user.email) + if (auth.credentials.name !== user.email) { + captureException( + new Error( + `Credentials name does not match user email ${auth?.credentials.name} !== ${user.email}` + ) + ) + return forbidden(res) + } const response = await drive({ version: 'v3', - auth: auth, + auth: auth.client, }).files.list({ q: "mimeType='application/vnd.google-apps.spreadsheet'", fields: 'nextPageToken, files(id, name)', diff --git a/apps/builder/pages/api/integrations/google-sheets/spreadsheets/[id]/sheets.ts b/apps/builder/pages/api/integrations/google-sheets/spreadsheets/[id]/sheets.ts index 3027b8e85..0b18d96c2 100644 --- a/apps/builder/pages/api/integrations/google-sheets/spreadsheets/[id]/sheets.ts +++ b/apps/builder/pages/api/integrations/google-sheets/spreadsheets/[id]/sheets.ts @@ -21,12 +21,12 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => { const spreadsheetId = req.query.id.toString() const doc = new GoogleSpreadsheet(spreadsheetId) - const client = await getAuthenticatedGoogleClient(user.id, credentialsId) - if (!client) + const auth = await getAuthenticatedGoogleClient(user.id, credentialsId) + if (!auth) return res .status(404) .send({ message: "Couldn't find credentials in database" }) - doc.useOAuth2Client(client) + doc.useOAuth2Client(auth.client) await doc.loadInfo() return res.send({ sheets: ( diff --git a/apps/builder/playwright/services/database.ts b/apps/builder/playwright/services/database.ts index bb08a47b3..b22fe7e73 100644 --- a/apps/builder/playwright/services/database.ts +++ b/apps/builder/playwright/services/database.ts @@ -109,7 +109,7 @@ const createCredentials = () => { return prisma.credentials.createMany({ data: [ { - name: 'test2@gmail.com', + name: 'pro-user@email.com', ownerId: 'proUser', type: CredentialsType.GOOGLE_SHEETS, data: encryptedData, diff --git a/apps/builder/playwright/tests/integrations/googleSheets.spec.ts b/apps/builder/playwright/tests/integrations/googleSheets.spec.ts index 7ffe3ee67..ceac43a51 100644 --- a/apps/builder/playwright/tests/integrations/googleSheets.spec.ts +++ b/apps/builder/playwright/tests/integrations/googleSheets.spec.ts @@ -152,7 +152,7 @@ test.describe.parallel('Google sheets integration', () => { const fillInSpreadsheetInfo = async (page: Page) => { await page.click('text=Configure...') await page.click('text=Select an account') - await page.click('text=test2@gmail.com') + await page.click('text=pro-user@email.com') await page.fill('input[placeholder="Search for spreadsheet"]', 'CR') await page.click('text=CRM')